We'll be right back.
Let's go.
Let's go.
Thank you for not setting off any smoke bombs.
We really appreciate that.
We're sorry about the heat, folks.
Yeah, let me talk to God.
We'll get it turned down.
Or what?
Mumble, mumble, mumble, mumble.
Popsicles.
More popsicles.
We are trying to get the air conditioning turned up and get it cool.
Please make sure you do drink a lot of water while you're here.
We're going to do a real quick spot the Fed here.
Would Dice Man please raise his hand?
Thank you.
These Feds are not in season up here.
You can't spot them.
There are, however, other Feds in the audience.
It's kind of like cancer cells.
They attract each other.
Would anyone like to try to spot the Fed?
Where's Justice?
Where's who?
Justice.
Where is Justice?
There isn't any Justice in the crowd.
You're talking to the Fed, sir.
What are you talking about, Justice?
Would anyone like to stand up and try to spot the Fed?
You have to stand up, sir.
You're afraid?
It's okay.
You're among friends here.
We outnumber them.
You had a hazy memory from them kicking down your door and butt-fucking you?
What?
The guy in the white hair over there.
Walk over?
Okay.
Black shirt.
That's good, sir.
That's about half the audience.
We've already got one.
Hold that thought, sir.
Hold that thought.
Bring him up here, sir.
Jack is now a PFC.
Is anyone here from the military?
Raise your hand.
Military?
Jack's a former Fed.
No, Jack is now a PFC.
Private, Freak, and Civilian.
Jack retired.
Nice try, sir.
You obviously work for the NSA.
You have higher standards.
Thank you, Jack.
Yes, sir.
Stand up, sir.
Point at him, sir.
Make the accusation, just like an Orwell.
He's already been spotted, sir.
You have him spotted yet?
Bring him up.
Do you work with him, sir?
There's a two-for-one special if you can spot the other one.
They travel in pairs.
They travel in pairs.
All right, this is the audience participation point.
Would Mafia Boy like to kick it off?
It's okay.
Actually, the agent who arrested Mafia Boy is here.
Seriously.
And there is a possibility that Mafia Boy is.
Please don't arrest him.
Because I don't think he's supposed to leave Canada.
Oops.
Canadians, they walk among us.
Do we know who they really are?
Anybody from the audience want to question this man?
Don't be afraid.
He's not wearing...
Try again, sir.
You're supposed to ask intelligent questions, sir.
It's not an intelligent question.
Unless you're from the Marine Corps.
I can answer that.
In which case, are you spotting choppers or the enemy?
Yes, sir.
How often does he have to qualify with a firearm?
How often do you have to qualify with a firearm, sir?
Quarterly.
Quarterly.
Any other questions?
Yes, sir.
Can you carry a weapon on an airplane?
Can you carry a weapon on an airplane?
If I so choose.
Ooh.
What kind of car do you drive?
A suburban.
Oh, wait, wait.
Does it have the cargo racks on top?
That's my personal car.
Oh.
Does it have a governor on it?
No.
Maroon.
Suburban.
No governor.
Bomb squad.
What?
Sir, I don't think he's looking for a date, but thanks anyway.
You know, we hacker fed hookup connections later on in the evening.
Is it still not allowed to be homosexual in the federal government, guys?
Don't ask, don't tell.
Don't ask, don't tell?
Sir, don't ask, don't tell.
But thank you for coming out here at DEF CON.
A round of applause for the guy who decided to come out of the closet.
That was truly a brave thing, sir.
And just take it as flattery.
It's okay.
It means you're a good-looking guy.
Any other questions besides what's your phone number?
Yes, sir.
Can you carry a crank?
A what?
Do you carry a rank?
Can you strap that on your shoulder or something, sir?
Do I carry a rank?
No.
As opposed to a what kind of officer, sir?
A flag officer?
Are you officially issued a firearm?
What is your officially issued firearm?
This one's going to mess you up.
Forty-five.
Would that be a revolver?
You never know.
It could be Wyatt freaking Earp up here, you know?
Customized Springfield.
Dirty Harry whipping out the .44.
Customized Springfield.
Yes, sir.
That's not a fair question, sir.
That's too easy.
Where do you work?
Where do I work?
In a building.
City?
San Antonio.
San Antonio.
What?
Me in Texas.
That would be in the great state of Texas.
Do you have the power to arrest?
Yes.
Do you speak Spanish?
Yes.
Si.
Si.
Si.
Do you say things like,
La migra, la migra?
No.
In the back.
In the back.
You play, play.
Do you play Quake?
No, I play Ultima.
Oh, right on.
Hey, hey, hey, hey, hey.
Some people at Origin are my friends.
It's a cool game.
Fuck off.
And they have a really cool security set up over there.
You know they do, what is it, pumpkin dropping every Halloween?
They get up on the top of the parking structure and you have to hit a target, you want to
win a trip to somewhere?
How cool is that?
Every Halloween, sir.
I don't know.
Not every month.
What's that, sir?
Origin died a few months ago.
They fired everyone except for you.
They're a hardcore people.
Boy, have I been out of the loop, sir.
I work for a living.
What's your excuse?
What's that, I'm sorry?
You're on welfare.
Thank you, sir.
You know, sir, there are jobs out there.
You just have to get off the couch.
I thought they rolled them up in the EA.
Yeah.
They were never a separate entity.
They were never a separate entity.
Yeah.
I'm sorry, sir.
Sir, they were always part of EA.
Very good.
Sorry, we're getting a little coffee wars here.
Yes, sir.
Do you carry a round badge?
Do you carry a round badge, sir?
No.
Are you on speed?
Are you tweaking, sir?
No.
Are you looking for a hookup?
I'm sure there's some guys back here from the CIA.
They can help you out.
Oh, wait.
I'm sorry.
That was Compton and Coke.
My bad.
I'm sorry.
DIA was doing the speed, right?
Or is that Justice?
Oh, right.
What's the name of the bridge between Juarez and El Paso?
For the love of Christ.
Well, that's not going to do any good, because I grew up in El Paso.
So, I can tell you about four.
What's the color of the boathouse at Heteroport, sir?
Yes, sir.
I'm sorry.
In the back with the Hawaiian shirt.
The very styling Hawaiian shirt.
Yes, sir.
No question?
Okay.
Any other questions?
Yes.
Do you have a national jurisdiction or is it limited to state?
Good question.
Do you have a national jurisdiction or is it limited to state?
National.
Hold up your sunglasses, sir.
He's got gargoyles.
Nice shirt.
Which background investigation did you have to pass to get the job?
Which background investigation did you have to pass to get the job?
Justice.
Justice?
Justice department?
What is the Justice Department, sir?
Justice department.
No, it's just depending.
B.I.
S.B.I.
B.I.
S.B.I.
B.I.
Don't even know what those are.
B.I.
N.G.O.
What is Area 6, sir?
Come on.
You can tell us.
You're among friends.
We know you spent some money.
I need to stop.
I know, I know. You're getting closer, but... Yes, sir?
What computer certifications do you have?
How about none?
You know, I've dealt with various agencies in the past, and I usually...
Yeah, I've done bank robbery for 25 years, but they just put me in the computer crime squad.
Great. Is your supervisor there?
Yeah, but he did counter-terrorism.
Any other questions? Yes?
What's your handle?
Cygnus.
Cygnus. Anybody in the chat rooms? Look out for Cygnus.
Yes, sir?
What was the last course you had to take for your job?
UNIX.
UNIX.
Sorry?
Again, louder, sir.
No, that was UNIX in a nutshell, sir. I can get you a copy of that, though, if you need it.
Yes?
During your training, did you have to wear khakis or military cargo pants?
Let me translate that. In your training, did you have to wear BDUs or khakis?
Cargo pants.
He works for Southwest. Yes, sir?
When you were hired, did you have to take a polygraph test?
When you were h... Okay, that was actually for the man who stood up, but that's fine.
We'll get you in a second, sir. When you were hired, did you have to take a polygraph exam?
Yes.
Yes, sir?
How often?
How often are you fluttered per year?
How often are you what?
Polygraphed.
We're not.
They're not.
How often are you psychologically examined per year?
Uh, case-by-case basis.
Case-by-case basis.
Do you work in the child porn group, sir?
No.
Have you?
No.
Do you want to?
No.
You never know.
Yes?
Do you have to take a piss test?
You know, yesterday we had a guy from the Netherlands.
The Netherlands was fascinated by scat and urine.
Looks like we've got another one.
Do you have to take a piss test?
Yes, we do.
Would you like to know the color and consistency, sir?
Yellow.
How often?
Yellow, and how often?
Random.
Random.
Did you take one this morning?
No.
Are you looking to hook up?
I told you, you got to talk to the DOD over here.
Do you want a beer?
Do you want a beer?
Yeah.
Just, be careful, make sure the cap's on it.
Yes, ma'am.
Go.
Go.
Go.
Go.
Go.
Go.
Go.
Go.
Go.
Go.
Go.
Go.
Go.
Go.
Go.
Go.
sip. We don't swallow, he says. Yes, ma'am. Does your agency block large shipments coming across borders? No. They just arrest those guys. No. Do you deliver on Saturdays? Sometimes. Is it time and a half or double time?
It's neither. Your salary, I'm sorry. Yeah. Yeah. What's your GS level, sir? 13. Ooh. He's paid well. Yes, sir. What was your major in college? Chemistry. So you'd cook up some stuff for us later? I'm not stepping on anybody's toes over here, okay? No. Does your major apply to your job? No. Did it? Never.
Anyone want to hazard a guess at where you're from?
Where he's from? Are you from the Air Force OSI? Nope. Oh, not even close, Mr.
Are you from the Department of Treasury? I said I'd take the Justice Department exam.
That would be a no. That's fetties for no. In the back. In the back with a beard. That's you, sir.
Are you with the FBI?
Yes, sir.
Yes, sir. Do you have your creds?
Do you have your creds?
Yes.
He has his creds.
Okay. Oh, have you seen Scully and is she pretty hot?
I've seen her as much as everyone else has.
So there's no X-files?
She looks pretty hot to me.
Hey. This is what a real FBI badge looks like. Don't photograph that.
That's a felony.
That's a felony. Don't make it easy for them.
That's a nice picture. Look at that. You look real serious there.
I'm sorry, sir. I'm straight. But there's a guy back there who wants your phone number.
Thank you, folks. We're going to turn it over to the actual FET panel.
Okay.
Okay. Good afternoon. Thanks for getting started, priest.
The answers for me were yes, yes, Chevy, no, M-11, no, no, yes.
We're not going there.
Okay. Welcome to the show.
This is the third Meet the Fed panel.
I'm Jim Christie.
I'm a criminal investigator with Air Force Office of Special Investigations.
And I've been detailed away.
I'm the law enforcement counterintelligence coordinator for the Defensewide Information Assurance Program.
And we put a pretty diverse panel together for you this afternoon.
And what we're going to do is I'm going to introduce each of them.
They're going to make a two- or three-minute opening statement.
And then we'll just turn it over to you guys for questions.
But before we do that, I am in the market for trading T-shirts, obviously extra large.
So anybody see me afterwards?
T-shirts.
Okay. On my immediate left is Arizona State Representative Wes Marsh.
Wes has been a state legislator since 1994.
Has over 20 years of military experience.
And he's chairman of the Military Veterans Affairs and Aviation Committees in the House of Representatives in Arizona.
This year Representative Marsh introduced a bill, which was the first bill ever in the United States,
to create a state infrastructure protection center for Arizona to protect Arizona from both physical and cyber threats.
Immediately to his left is Keith Rhodes.
Keith is currently the chief technologist of the U.S. Government Accounting Office
and is the director of the Center for Technology and Engineering, which includes the GAO's e-security laboratory.
In this role, he provides assistance throughout the legislative branch,
basically comes in and rakes, pillages, and plunders on the executive branch for the legislators.
And then we have Special Agent Jim Savage.
That's just a nickname.
U.S. Secret Service.
Jim is the deputy special agent in charge of the Financial Crimes Division of the U.S. Secret Service in Washington, D.C.
And part of his responsibility is oversight of the Electronic Crimes Branch.
He was also detailed up on the Hill to Senator Kyle as a staffer.
And has been assigned to the Vice President for protective detail.
Next to him is Ray Simcoe.
Ray is Interagency OPSEC support staff.
He was a 30-year MI special agent, military intelligence, working counterespionage, counterintelligence.
After Ray retired, he was a CI agent for the Department of Energy
and now is with the Interagency OPSEC support staff.
Next to him, who is that?
Paul Smulin.
Paul is Chief of Staff for the Information Assurance Directorate for ASDC3I.
He's a graduate of U.S. Army War College and University of Maryland.
And has held multiple assignments in NSA.
On the end down there is Kevin Manson.
Kevin Manson is an instructor at the Federal Law Enforcement Training Center.
Down in Glencoe, Georgia.
Now, before we get started and we turn it over to these guys and let them make an opening statement.
What they've asked is they want to know who they're talking to.
They've heard some of your questions.
So we'd like to do a little survey.
Could everybody stand up just for a second?
Okay.
Wow, this is pretty good.
Okay.
If you have never broken the law
by hacking a system, sit down.
Okay.
Now, what we'd like you to do is really save us a whole lot of effort.
We want you to be good Americans.
And all of you that we have pictures of that we're standing at have broken the law.
What we'd like you to do is meet us, immediately following this panel,
at the law enforcement booth at the pool.
Please, please bring a photo ID and your toothbrush.
Okay.
We're going to turn it over and Wes Marsh is going to make a couple opening statements.
Go ahead.
Testing.
Testing.
Hey, Jim, thanks for the great introduction.
It's a pleasure and honor to be here.
He's like the first elected official ever at the DEFCON.
So I'm honored and very humbled to be here.
So there are a few of us politicians out there that are not scared to face the public and face the media.
Now, obviously, before I came...
He'll change his mind after this is over.
Yeah.
Yeah.
Particularly at the pool.
Obviously, living in Arizona, you know, we have to...
Everywhere we go, we want to see where our constituents,
because we all want to make sure we're in touch with our voters.
And I'm just wondering, can I have anyone from...
It's from Arizona.
Okay.
Yeah.
No, we're all citizens that are in Arizona.
But thank you again.
A pleasure to be here.
As Jim said, I was the first legislator ever to introduce legislation
to enact laws.
In fact, a statewide infrastructure protection center
that incorporated both the physical and the cyber portion.
Traditionally, they both have worked separately and never talked.
And that's a problem because those of you who are involved in information systems
on both sides of the aisle know that everything we do
and everything we touch has something to do with information.
When you pick up the phone to call 911, to call one of these guys,
or to call an ambulance, you want to make sure they're there.
And if someone's gone in to mess with the system, they're not going to respond.
And that's a problem.
And that's why it's important that we have the information sharing
with the physical, the emergency manager in each state,
as well as the state CIO, the chief information officer,
because the wire heads have to be talking to the physical guys.
And again, for those of you...
The government does not own the infrastructure.
I know some of you probably think they do.
We don't.
You own it.
You as the citizens do.
And the utilities, the water treatment systems,
those are all owned by municipalities.
So think about that, too, as well,
that really the closest government is your state and local government,
not the federal government.
I know they all think that they're supreme,
but the last time I checked, the 10th Amendment said
that the states are superior and supreme.
But...
So if y'all could help remind them of that, too,
that, you know, it was the states that were there first
before the federal government, but...
Okay, thank you, Wes, for being a part of it.
Meet the Fed panel.
Keith, you're done.
If you let a politician, they just, like, go on and on.
Hello, my name is Keith Rhodes,
and I'm the chief technologist at the General Accounting Office.
Over the last...
In the Center for Technology and Engineering,
we have two groups.
One, we go in and do engineering analysis,
usually of failed...
Usually of failed programs.
I can't hear you.
Sorry.
I have two groups that are housed in my center.
One is a group of engineers that goes in and does analysis
of things like national missile defense and stuff like that.
But then the other group that's probably more germane
to this conference is the people who work in the e-security laboratory.
And what we've done for the last few years
is we've performed about 100 penetration tests
against departments and agencies in the executive branch
on behalf of the legislative branch.
And I guess just to tell you our track record,
we have 100% success.
Ten out of ten,
I'm getting the mainframe.
Nine out of ten,
I'm getting the Unix boxes.
Ten out of ten,
I'm getting the Linux boxes.
Sorry, but that's the way it goes.
Eleven out of ten,
I'm getting the Windows systems.
And that's what we do.
Hi, I'm Jim Savage from the Secret Service.
And my pleasure to be here today.
As far as I know,
I'm the first Secret Service agent
that's participated in this conference.
Depending on how it goes today,
I might be the last.
But for those of you that do know or don't know,
I'll give you just a real quick spiel on the Secret Service.
I think everybody's familiar with our protective mission.
However, the Secret Service is a Treasury law enforcement agency.
It was established in 1865 to suppress counterfeiting.
That mission continues today.
However, over the years,
as our payment systems have evolved,
so has our mission and our jurisdiction.
We currently share concurrent jurisdiction
with most of the computer crime law out there
with the FBI,
as well as access device fraud.
The cornerstone of our investigative program
as it exists today
is built around what we call our EXAP program.
That's Electronic Crimes Special Agent Program.
We have about 175 trained agents today
that are deployed to various field offices
throughout the U.S. and a few overseas
to work our high-tech investigations.
And I'm not going to preach to anybody today,
but I just thought it would be a good idea
to open up a little bit of a dialogue
with you guys out there.
This is, I think, kind of the cyber equivalent
of community policing.
In the physical world,
the cop walks the beat amongst those
in the neighborhood.
In the cyber world,
this is our cyber community.
There are no boundaries,
no geographical boundaries.
So without any further ado,
I look forward to entertaining some questions from you,
dispelling a few notions,
one of which I can do right now
that feds don't work on the weekend.
Here I am.
And maybe confirm a few notions that you have.
But I look forward to participating.
Thanks.
Thanks, Jim.
How many of you have heard Ray Simcoe speak?
Okay.
Well, then you all know why he's had multiple orgasms
here in Vegas,
looking at all these dice tables.
He's the dice man.
Go ahead, Ray.
Good afternoon.
I represent the Interagency OPSEC support staff.
We're located in Greenbelt, Maryland.
We are the executive agency responsible
for implementation of operations security
throughout the federal government.
We do this in corporate America.
We do it in the federal government.
Our job is to protect sensitive but unclassified information,
to help people protect their intellectual property,
to help people protect that which is not classified
but that information which isn't unclassified.
Basically, I personally have been in the United States government
since 1967 when I received my draft notice.
I was drafted in 1967.
How many people here have been drafted?
Any?
Wow.
What an audience.
What an audience.
How many people have been in the military in this audience?
Can I see a show of hands?
All right.
I decided at the age of 19 I was going to stay in the federal government,
not because I loved it so much,
but because I knew that I could not affect change
unless I was inside it.
That's why I look the way I do.
I don't fit the mold.
Listening to Simple Nomad yesterday,
he said,
you've got to think outside the box.
That's what I do.
I try and think outside the box.
What I'm trying to do is protect this country,
protect all our rights,
so that you people out here can do what you enjoy doing.
Okay?
We all are in this country together.
We all have to have each other's back.
I go around the world telling people what the threats are
and how to counter them.
And I do it a little bit differently.
I do it differently than the average bear.
So as Jim already stated,
I have loved my time here just dealing with some of you people.
Not that I'd invite a lot of you to my home to eat,
but it's great to see this part of America.
And it's great to work on weekends
because if you believe in your job,
and that's what keeps me going to work.
See, I retired from the United States Army after 21 years in 1988.
I don't have to work for a living.
I can live on that military retirement.
I can only live in central Pennsylvania.
But I can live on that retirement, folks.
So I'm here to make a difference,
just like you guys are.
We can all do this that's for the betterment of America,
not to detriment.
What I cannot take is all these other countries out there
who think we're weak,
who don't think that we're united,
and that we're easy prey.
And that's what I fight against.
Thank you.
Thank you.
How the hell do I follow that?
Hi, I'm Paul Smullyan.
It's great to be here.
As I look out over this really filled hall,
actually I'm pretty scared to death.
The Department of Defense is dedicated to providing
secure and confident services to the war fighters of this country.
To that end, the Assistant Secretary of Defense
for Command, Control, Communications and Intelligence
and the Director of Information Assurance
work not only within the Department,
but within other government agencies
and our international allies and coalition partners
to protect our critical infrastructures
that support our everyday requirements,
such as electricity, water, transportation.
Which are vital to the Department's ability
to provide automated services.
While providing those services
and protecting those critical systems,
we're often challenged
by many of you that are out there in the audience today.
As we meet your challenges,
we continue to strengthen the network defenses
so vital to protecting our critical infrastructures.
So in a way, you guys out there
who are trying to cross that proverbial line,
actually give us an opportunity
to make things a little stronger
on the information network security side.
That is not an advertisement for you
to go out there and try a little harder.
Okay?
As a matter of fact,
if you continue to try a little harder,
these guys on my right might come and get you.
So, it's great to be here.
I look forward to your questions
and feel free to ask everybody else
on the panel anything you want.
My name is Kevin Manson.
I have a very prominent relative
in law enforcement custody.
At least that's what I tell my students
at the Federal Law Enforcement Training Center.
I'd like to thank several people, first of all,
for being here.
I'm a newbie here
and I'm kind of on the CINAC track here.
I'm very receptive to talking to any of you
who want to get a sense of what it's like
for people who are involved in training
the kind of people that,
I guess the people that we call cyber cops.
That term cyber cop is a term
that I coined a number of years back.
And I've been very fortunate
to speak with a lot of cyber cops,
but I want to make it clear here today
I do not presume to speak for them.
I work for the Treasury Department.
We train law enforcement agents
at the Federal Law Enforcement Training Center,
which is down in Georgia.
We train 20,000 agents a year.
We have a full-time population on the campus there
of about 2,000 students.
I consider myself to be a netizen
and I think it's very important
that we all share one goal
and that is to protect and defend
that very, very valuable resource,
one of the most important things
that's been created by mankind in my opinion.
I want to thank very dear friend Bill Tafoya
who called me not very long ago
and invited me to join him for the keynote
at the Black Hat Conference several days ago.
Bill was called in when Richard Clark
was not able to make it to the Black Hat Conference,
so I was very privileged to be able to join him there.
I also want to thank Jeff and BK
for their invitation
and for their very gracious hospitality
while I've been here.
The keynote at the Black Hat Conference,
Bill and I spoke about what I guess we've coined
as the Cyber Civil Defense Corps.
And one of the things I've tried to do
in the number of years I've been doing this,
and I've been on the net since about 1988
where I joined a number of other people
in a little small community out there
in Sausalito, California called The Well.
And one of the things I've tried to do since then,
thanks, and well-beings out there,
glad to hear that.
I've already talked a couple of you.
I'd be glad to talk to any of you
that would be interested in talking to me about it.
I'm going to finish up with this.
I'd just like to say that one of the things
in my SIG file that I include when I send email out,
and I'll just read it here,
the truly elite are not those who attack
and destroy in cyberspace,
rather they are those who protect and defend.
So I would welcome and join you to come,
since we all have a common mission,
to help us do that as we carry out our duties.
Thanks very much.
Okay, now we turn it over to you guys.
Please, you know, stand up and yell out your questions.
Okay, right here in front.
He said that...
He? Okay.
He said that as the taxpayers,
we basically own the government.
So in which case,
it is legal for us to have your own systems.
So we own the government's files.
Repeat the question.
The question was,
as you remember in my comments earlier,
that you as the citizens have owned the government.
And actually, if you go back and look in the Constitution,
actually, I don't want to get religious on it,
but God gives the government down to the people,
and the people give the government the power.
So the government has been empowered
by the people, the citizens.
His question was,
if the people have given the government the power,
then basically the people own the government.
Therefore, you're hacking your own system.
Well, I guess my question is,
we all, all of us have records
that are our own personal information.
And I certainly don't want,
other than what I have to file publicly by law,
but I think I have a right entitled my privacy.
And even though my stuff and your stuff is on there,
like your taxpayer records,
I think you have a right to that privacy.
Your health records,
I don't think you want anyone knowing your medical history
and the legislation.
The legislation, the HIPAA legislation,
basically provides security
and confidentiality of those medical records.
So I think in that sense,
you deserve a right to that privacy
and the security of those information.
Anybody else want to take that question?
Hi.
There's a lot of talk about Americans here.
I'm split between Norway and the UK.
And I'm just wondering,
do you have any foreign operatives?
So do you do any, you know...
Let me answer that for the panel.
Yes.
Okay.
For the GAO,
you often do penetration testing
and you do recommendations.
And there have been reports put out for the last,
God, at least 10 years,
over systems that have been penetrated
over and over and over again.
Why don't the other departments
follow the GAO's recommendations?
Well, I mean, one of the points is that,
yeah, we go in and we test.
But the tests are sort of like the tests that everybody does.
They're a snapshot in time.
And so they'll...
We make the recommendations.
We've made, Christ, I don't know,
4,000, 4,500 recommendations.
But when they're down to the level of,
you know, something dot something dot something
has this particular hole in it,
please, you know,
please patch send mail for the 50,000th time.
They patch send mail,
but of course they patch it on that machine.
So in reality, they have met the recommendation.
I've realized that this is something
that's a circular argument.
But what they have to understand
is that we don't go away.
We have a requirement
under the Chief Financial Officers Act
to test what's called the internal controls.
It's the security controls
of the 24 departments and agencies
that fall under that.
That's DOD.
That's EPA.
That's people like that.
It's not until we get into a situation
like the Environmental Protection Agency
where,
before the report was released,
even the public report,
I sat down and said,
you know,
when this report hits our web page
and when the information is released from the committee,
you're going to have about eight minutes
before everybody in the world starts coming after you.
And that's assuming that you don't know
all the people who are already in.
So EPA pulled itself off the net
and was off for approximately a month.
Now, they had to shut down their operation for a month.
It's not until it's a catastrophic failure
that somebody actually gets
the internalization of security.
Well, if we, you know,
continue to do broad-brush examinations
and they don't have
a completely catastrophic failure like that,
then all we can do
is have them meet the recommendations.
It's just like, you know,
comments from the community, right?
They're going to say, you know,
please don't run XP.
Well, you're going to say, please don't run XP,
and everybody's going to run XP anyway.
And that's a non-securable operating system.
You know, it's a non-securable environment
because it does so many things
to help your functionality.
It tries to make the world so much easier for you.
So all we end up doing is fixing those little holes.
But we have standing legislation.
We do have to go back again
and again and again and again.
Now, maybe eventually they'll get it
and they'll understand
that they have to take it from cradle to grave,
but all we can do is embarrass them.
Anybody else on the panel want to take that?
And one thing I might add,
all of you, I assume,
are American citizens and are voters,
and you need to write your elected officials
and let them know, say, hey,
I read the GAA report, IRS,
they went in and got these taxpayer records.
What are you doing to make sure this is stopped?
And I know a lot of you out there,
you're not doing it to be mean,
you're not doing it to be,
even though it is illegal
and it is a federal crime to hack into a system,
you're doing it to say, listen,
you've got a vulnerability, fix it.
And that's, you're trying to do something,
well, at least the ones that I've talked to,
that's what they tell me, but, you know.
What am I? I'm just a politician.
Just kidding.
But you need to be in touch with your elected officials.
You need to say, listen,
what are you doing to make sure policy is in place
to enact, because that's what he's doing.
That's his job.
That's why we're using taxpayer money
to him to test these systems,
so you don't have to test them.
So I just encourage you all to do that.
I would just like to add very quickly,
the federal government is not that much different
than the private sector in the sense that
in terms of the understanding and the need for,
say, information security or protecting the systems
is not necessarily readily embraced
by all those at the top that need to have it.
So unless a business case is made,
um,
not until that happens will you make a believer
out of either a private corporation
or even someone in the government.
And with government,
you're talking about bureaucracies.
That means they have to reapportion a part of their budget
dedicated towards the security aspect,
and the government is sometimes slow to change in that regard.
Next question.
My question kind of spawns a small conversation.
With the integration of computers into everybody's lives,
there's going to be crimes ranging
from a smaller level to a very large level.
It's going to be a more common thing over the years,
even just little pranks.
Maybe instead of TPing somebody's house,
you drop their whole network at their home.
On the larger end,
what this is basically is that the government,
over time,
I think,
has been more educated on these crimes
and how to deal with them.
But I think sometimes we've heard some media horror stories
on how some hackers have been dealt with
when they've hacked into a machine
and basically,
like Kevin Mitnick,
three years or so in jail with no trial,
and he's probably an extreme case,
but are you guys becoming,
I think you are,
just to kind of reassure the crowd here,
becoming more educated as far as how to deal with these crimes
in a fair and proper manner?
I'd be glad to take that one.
My day job is training cyber cops,
and one of the most important things we do
is we train law enforcement not only to enforce a law,
but to obey it as well.
And the people that I work with,
some of the last people that see federal agents,
you know,
the people with the badges and the guns and the laptops,
we are some of the last people to see those
before they get out into the field
and they start having to carry out their day-to-day duties.
And one thing I'd like to do is I'd like to,
I'm going to kind of a listening port,
I've opened for the conference here,
I'd like to leave an email address
for any of you who'd like to carry on a dialogue,
like to provide us with some insights,
provide us with some viewpoints
that perhaps we don't get during the rest of the year.
The email address I set up is
DEFCON underscore Niner,
N-I-N-E-R,
somebody else took DEFCON 9,
at hotmail.com.
I think this issue of training is absolutely critical.
We need to rely upon a lot of technology
that many of you have skill sets for,
and that's the reason why the keynote
that Bill and I delivered earlier this week at Black Hat said,
we do need your assistance,
but we're not looking at the assistance
from the perspective of you joining the Cyber Corps
as a cyber cop,
rather we're asking you to join it
with the idea in mind of assisting those of us
who are responsible and do have duties
to protect and defend on cyberspace,
so that we can get a better sense of what you really do
and what your views are.
I set up a cyber cop cypherpunk panel
at Computer's Freedom and Privacy several years ago
and invited some good friends.
Bruce Sterling has been our friend for a number of years.
We brought in Phil Zimmerman,
a number of other individuals.
I'd like to see that kind of thing continue
at conferences like this
where we can continue the dialogue
both offline as well as online.
Let me just add from the enforcement end of it,
your point is well taken.
Your point actually relates to an even broader theme
and that is the integrity of our justice system.
Training is an important component.
And part of the justice system is the enforcement end
and it's the laws that are on the book,
but ultimately what it boils down to is,
who do you have investigating the case?
Who do you have actually presenting the facts
of an investigation to an assistant or U.S. attorney?
How do they interpret those facts?
Does the judge understand the case?
Is justice meted out in a fair and even way
and in a consistent fashion?
And those are important points.
And I don't know if there's an easy answer to that,
but even though we're from the government,
we're also citizens ourselves
and we have family members that use the computer,
use the internet as we do as well.
And so to me, I have a personal sense
and I believe we're trying to instill in our own agents,
we have a huge amount of responsibility in the cyber arena,
maybe perhaps even more so than in the physical area,
because we're oftentimes dealing with issues and circumstances
that are not readily understood by those
and that part of the traditional and conventional law enforcement
and justice community.
So I don't know there's an easy answer,
but it's certainly a point well taken.
Who's?
Director 63, OMB 130,
12985, all those.
They don't have any claim to them.
What are you going to do to keep these lame system administrators
from staying in their jobs and working in the union
and getting them to, you know, be consistently secure?
So they're not doing these things
and protecting the systems they're supposed to be doing.
I think the insurance industry
is going to solve a lot of those problems, quite frankly,
with stockholder suits and things like that
if they're not adequately protecting their systems.
I'm not saying that's the only solution, but...
Well, as you've already learned,
you're not going to be able to rely exclusively on the government
to solve this problem.
There are people out there who have asked for,
at conferences like this, for your help.
And that is, in fact, the solution.
That's what PDD 63 contemplated was a true partnership
between the public and private sector.
And so that's one of the reasons why I'm here, quite frankly.
And if you're really interested in that,
I would be more than glad to talk to you offline.
I'm working with a group of people
who have set up a virtual private network
so that we can continue these kinds of discussions,
not just within the law enforcement community,
but also with folks like you.
I'll tell you, to follow on to that,
that's kind of a tough call in terms of the private sector,
because you have to walk that balance
between what are you going to mandate
to private business to do,
and what are you going to hope
that the marketplace encourages them to do.
And for anybody that's in business for themselves out there,
what they don't want to look for
is additional government regulation
telling them what they have to do
and how they have to do it.
And when it comes to the implementation of PDD 63
within the federal government,
such efforts as what the GAO understood
to try to get agencies to clean up their own act
is part of it.
But you have to understand,
you all are quite comfortable with some of these concepts.
There's a lot of people in the government
in some very important positions
that are just now coming to understand
what all this means
and how it actually affects
their day-to-day operations in the government.
And PDD 63 was a good thing,
and it pretty much set the stage
for the ideal concepts,
but it didn't necessarily provide a roadmap.
Hopefully the new national plan
will try to address that.
It will try to address those things as well.
But we all kind of know where we want to be,
but honestly there is no detailed
step-by-step checklist to get there.
Let me just add one other point.
Whether you're talking about OMDA 130
or E-Sign or JAPIA
or any of these laws that are out there,
the larger struggle is that
the department or the agency,
I think they finally understand
that absolute security is impossible.
We've broken into an agency through its printer.
One side was internet,
one side was intranet.
Well, it was a device.
They didn't really view it as a computer.
They didn't view it as something
that had memory and a CPU and all that.
But what all those laws really require
of the departments and agencies
is that they do a risk assessment.
They have to have security commensurate
with their risk.
For example, if you look at
the Government Paperwork Elimination Act,
it defines a digital signature
as whatever you think it can be.
It's up to you as the department or agency
to say user ID and password is acceptable.
Well, that's the biggest struggle
that we in the GAO are going through right now
because we always get in.
Well, we get in, we write our report,
and we always up front in the report
tell them that they have to have a risk assessment.
They have to be able to manage based on risk.
Well, that's what do I have?
How long do I want to protect it?
Against whom?
At what cost?
And at what cost is the thing
that always gets in the way?
Because everybody talks about
a public key infrastructure,
but they ain't coming cheap,
and you can't get one off the shelf,
and they don't scale well,
and Kerberos breaks, you know,
at a certain threshold
and all the rest of that crap.
And we break into encrypted systems
because, you know,
the key is stored in the swap,
and they left the file in,
and all the rest of the junk that goes with it.
They aren't managing based on risk.
The government is still having a very tough time saying,
what do we do for a living?
So that's really the point that you as citizens,
as voters,
as people who are supposed to care
and be interactive with your government,
you're supposed to say,
I think the risk is this.
If you start making an argument
about privately held information
by the United States government,
like your tax records,
like your health records,
like what Wes was talking about,
then you're going to be part of this risk assessment.
Because the government's going to look at this room of people
and we're going to say,
okay, we'll take a statistical sample
and we'll base risk on
it has to be less than a particular percentage threshold.
Well, 10% of this room having their identity stolen
is a catastrophic failure for that 10%.
But that still means the government has a 90% success rate.
That's not how it's going to work.
Let me take just a minute.
Part of your question deals with skill sets
and certifications and security.
Under PDD 63, we talk about skill sets
and we talk about certifications.
Certainly, the new center of excellence concept
that's being sponsored out of the National Security Agency
as well as scholarships that will be available
for college juniors, seniors,
those pursuing graduate and PhDs
is going to help with improving the collegiate skill set
of those who are coming to work for the federal government.
As far as security is concerned,
if you guys think that you are the major problem
to the United States government,
I'm here to tell you that the insider threat issue
is actually a bigger problem.
Those who already have the keys
to the cookie jar who have some ax to grind
or who think they want to have fun
who are actually in there and causing some real damage
to some of our systems.
There's an awful lot of money being spent
on personnel surety
to try to catch some of these insider folks,
the most notorious of which, not cyber,
but the most notorious of which in today's news
is Robert Hanson
and some of the damage and some of the lives
that he's caused to be lost as well.
So, you know, from the defense side,
we are looking at all of those things as well.
PDD 63 certainly goes a long way into helping us do that.
There's a tremendous amount of funding being generated
from Congress to allow us to implement some of those things.
You know, the government,
nobody out here wants the government to say do something.
The government sits back and gives you guidelines
and hopes everybody does the right thing.
Well, everybody doesn't do the right thing,
and that's why we have laws like HIPAA,
you know, the Health Insurance Portability Protection Act,
you know, which protects privacy and health information.
You know, go back to your hotel
and you'll find a sprinkler system in that hotel.
And trust me, it's not because the hotel wanted to protect your ass, okay?
It's because government came in finally
because people didn't build sprinkler systems in
and had to regulate it.
But that's the last thing the government wants to do
is regulate.
They want everybody to kind of move in the right direction,
do the right thing.
Who has the microphone?
A little while ago I attended the talk with a lawyer,
I don't remember his name.
We were talking about the Digital Millennium Copyright Act.
Now, this was a room full of geeks and a lawyer,
and none of us could figure it out.
It was so convoluted and so many loopholes
that nobody could figure it out.
I'm wondering, as enforcement, how do you guys figure it out?
You're supposed to enforce this mess.
Do you have any comments on that?
Well, I have a comment.
Every year, for the Department of Defense,
I put on a computer crime workshop, okay?
And what I invite are the information assurance population,
the criminal investigators, and our prosecutors.
And we bring them all together.
And at night, what we do is we have the Computer Crime Olympics.
And one of the events is called the Lawyer Spinorama, okay?
And what I do is I have each member of the team bend over,
put their forehead on a baseball bat, spin around ten times,
and run to the end of the room, and it's a timed event.
And this is to simulate how agents feel
after coming out of a conference with their lawyers.
It's also how the agents feel after coming out of a conference with a victim,
you know, talking different languages.
So what we're trying to do is get everybody to work together,
you know, have common language to understand what everybody's roles are.
But, you know, absolutely, there are different disciplines.
Everybody's got a role, and everybody's got to learn about
a little bit about the other person's discipline.
I think that's a very good question.
There's an old saying among those who have worked in Congress or close to Congress.
I'm a former Senate staff, judiciary staff member back in the early 80s.
The committee that I worked on was responsible for intellectual property.
But there's an old saying about laws in Congress, you know,
if you love the law and if you love sausage,
you don't particularly want to see either one of them being made.
And I can assure you that that is an issue, and it's a serious problem.
But the co-keynote over at Black Hat, Dr. Bill Tafoya,
is going to be in a position in the very near future, I think,
to have a lot to say and do with that particular issue.
And that is a very good question, and I hope that we can build
some real bridges between a lot of different communities
to make those kinds of laws more accessible, more understandable.
And our job in the federal government, in the training side,
is to train agents so that they can, in fact, enforce those laws.
And again, I'll just ask you, for those of you who are interested in this area
and are willing to help and work with us, we would be more than glad to do it.
We're almost out of time. We only have one more question here.
Well, given that it's illegal to,
like, poke at a machine for which you don't have permission,
given that we're interested in figuring out both how to break into these things
and how to prevent these break-ins,
and you're interested in figuring out how to prevent the break-ins,
have you guys ever considered setting up a domain where you give us permission
and say, it's okay, we're going to try and protect this thing,
you guys can get training, we can get training, and everybody's happy?
Actually, back in 96, 97 timeframe,
we were looking for a public-private partnership to do exactly that,
where it wouldn't be against the law.
We let people inside the first perimeter, and your job was, and everybody benefits.
We can test our countermeasures.
You can test the attacks against us, and then we know how to deploy.
Absolutely.
But all that requires resources, and unfortunately, you can ask any one of these guys.
That's one thing none of us have, is the resources to do that.
But, yes, we have thought about that.
Well, part of the problem, we looked at doing this at the National Security Agency
about maybe four or five years ago.
Setting up a site, probably in conjunction with this conference
that was just kicking off in its earlier years,
to let you guys come in and do a capture the flag type exercise with us.
The entire problem, when we presented this to our legal guys at the National Security Agency,
they kind of ran.
They said, no way are we going to let these guys come in.
So we have some tremendous legal issues when we set up something like that,
that we have to overcome.
Are people still looking at doing this?
The answer is, yes, they are.
Exactly.
But there are some extremely difficult legal issues.
And, of course, lawyers run scared all the time.
Not just NSA lawyers, but the Department of Defense lawyers are extremely conservative
when it comes to doing anything that potentially has vulnerabilities and risk associated with it.
Okay. Appreciate you all for coming.
Be important.
Be polite.
